Uploaded image for project: 'OpenShift Logging'
  1. OpenShift Logging
  2. LOG-3305

[release-5.5] Kibana Authentication Exception cookie issue

XMLWordPrintable

    • False
    • None
    • False
    • NEW
    • VERIFIED
    • Hide
      Before fix, Kibana had a fixed 24h OAuth cookie expiration time, which resulted in 401 errors in Kibana whenever the accessTokenInactivityTimeout was set to a value lower than 24h. After the fix, Kibana's OAuth cookie expiration time is synchronized to the accessTokenInactivityTimeout, with a default of 24h in case the latter is not defined.
      Show
      Before fix, Kibana had a fixed 24h OAuth cookie expiration time, which resulted in 401 errors in Kibana whenever the accessTokenInactivityTimeout was set to a value lower than 24h. After the fix, Kibana's OAuth cookie expiration time is synchronized to the accessTokenInactivityTimeout, with a default of 24h in case the latter is not defined.
    • Log Storage - Sprint 227, Log Storage - Sprint 228
    • Moderate
    • QE Confirmed
    • ?

      Description of problem:

      Following error intermittingly when logging in to Kibana:-

{"statusCode":401,"error":"Unauthorized","message":"Authentication Exception"}

It started when the duration of the oauth session has been changed to 10 mins (enforced by a Red Hat compliance operator remediation as per CIS guidelines):

~~~
$ oc get oauth cluster -o yaml
apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
 annotations:
  include.release.openshift.io/ibm-cloud-managed: "true"
  include.release.openshift.io/self-managed-high-availability: "true"
  include.release.openshift.io/single-node-developer: "true"
  release.openshift.io/create-only: "true"
 creationTimestamp: "2022-05-14T11:47:47Z"
 generation: 7

 name: cluster
 ownerReferences:
 - apiVersion: config.openshift.io/v1
  kind: ClusterVersion
  name: version
  uid: c7248601-bee7-45c0-956e-e02e2c3eb720
 resourceVersion: "44916907"
 uid: 753258e4-d31b-453f-a7b8-52a63f018840
spec:
 identityProviders:
 - ldap:
   attributes:
    email:
    - mail
    id:
    - desktopProfile
    name:
    - cn
    preferredUsername:
    - desktopProfile
   bindDN: CN=SRVAPPOCPLDAPDEV01,OU=Application Admins Service Accounts,OU=Application Admins,OU=Shared Services,DC=global,DC=lloydstsb,DC=com
   bindPassword:
    name: ldap-secret
   ca:
    name: lbg-ldaps-cert
   insecure: false
   url: ldaps://dcrlgv0006.global.lloydstsb.com:636/DC=global,DC=lloydstsb,DC=com?desktopProfile
  mappingMethod: add
  name: global.lloydstsb.com
  type: LDAP
 tokenConfig:
  accessTokenInactivityTimeout: 10m0s
  accessTokenMaxAgeSeconds: 32400
~~~





- We can not increase the accessTokenInactivityTimeout to more due to compliance check.

Slack with Logging Engineering: https://coreos.slack.com/archives/CB3HXM2QK/p1660736656526239

      Version-Release number of selected component (if applicable):

       

      How reproducible:

       

      The sequence of events is (see attached mp4):

      Log onto the OCP UI Select logging - this prompts for another oauth log in After a period of inactivity, kibana reports as being unauthorized If you then log onto the OCP UI and select LOGGING it returns the 401 unauthorized error - if you look at the cookies there is one named _oauth_proxy for the kibana-openshift-logging.apps.<cluster> domain - if you delete this cookie and refresh you a prompted to log in as per step 2.

       

      Actual results: The presence of the _oauth_proxy cookie is causing the problem and we must delete it manually lo log in back.

       

      Expected results:

      Not having login issues.

      Additional info:

       

       

       

              rh-ee-mbouqsim Mohamed-Amine Bouqsimi (Inactive)
              rhn-support-dahernan David Hernandez Fernandez
              Anping Li Anping Li
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: